|
|
OpenLDAP概述
OpenLDAP 是一款轻量级目录访问协议(Lightweight Directory Access Protocol,LDAP),属于开源集中账号管理架构的实现,且支持众多系统版本,被广大互联网公司所采用。
LDAP 具有两个国家标准,分别是X.500 和LDAP。OpenLDAP 是基于X.500 标准的,而且去除了X.500 复杂的功能并且可以根据自我需求定制额外扩展功能,但与X.500 也有不同之处,例如OpenLDAP 支持TCP/IP 协议等,目前TCP/IP 是Internet 上访问互联网的协议。
OpenLDAP 则直接运行在更简单和更通用的TCP/IP 或其他可靠的传输协议层上,避免了在OSI会话层和表示层的开销,使连接的建立和包的处理更简单、更快,对于互联网和企业网应用更理想。LDAP 提供并实现目录服务的信息服务,目录服务是一种特殊的数据库系统,对于数据的读取、浏览、搜索有很好的效果。目录服务一般用来包含基于属性的描述性信息并支持精细复杂的过滤功能,但OpenLDAP 目录服务不支持通用数据库的大量更新操作所需要的复杂的事务管理或回滚策略等。
OpenLDAP 默认以Berkeley DB 作为后端数据库,Berkeley DB 数据库主要以散列的数据类型进行数据存储,如以键值对的方式进行存储。Berkeley DB 是一类特殊的数据库,主要用于搜索、浏览、更新查询操作,一般对于一次写入数据、多次查询和搜索有很好的效果。Berkeley DB 数据库是面向查询进行优化,面向读取进行优化的数据库。Berkeley DB 不支持事务型数据库(MySQL、MariDB、Oracle 等)所支持的高并发的吞吐量以及复杂的事务操作。
OpenLDAP 目录中的信息是按照树形结构进行组织的,具体信息存储在条目(entry)中,条目可以看成关系数据库中的表记录,条目是具有区别名(Distinguished Name,DN)的属性(attribute),DN 是用来引用条目,DN 相当于关系数据库(Oracle/MySQL)中的主键(primary key),是唯一的。属性由类型(type)和一个或者多个值(value)组成,相当于关系数据库中字段的概念。
一、OpenLDAP安装及配置
1、安装openldap及配置
yum install -y openldap openldap-*
rpm -qa|grep openldap
openldap-clients-2.4.40-16.el6.x86_64
openldap-servers-2.4.40-16.el6.x86_64
openldap-servers-sql-2.4.40-16.el6.x86_64
openldap-2.4.40-16.el6.x86_64
openldap-devel-2.4.40-16.el6.x86_64
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
cp /usr/share/openldap-servers/slapd.conf.obsolete /etc/openldap/slapd.conf
2、生成openldap密码
[root@qas-openldap-nodes01 ~]# slappasswd -s qas@2018
{SSHA}R5Pyt+KNMgxf71fLF8/y89gJgs/Uxfqp
3、修改slapd.conf
grep -n ^[a-Z] /etc/openldap/slapd.conf
6:include /etc/openldap/schema/corba.schema
7:include /etc/openldap/schema/core.schema
8:include /etc/openldap/schema/cosine.schema
9:include /etc/openldap/schema/duaconf.schema
10:include /etc/openldap/schema/dyngroup.schema
11:include /etc/openldap/schema/inetorgperson.schema
12:include /etc/openldap/schema/java.schema
13:include /etc/openldap/schema/misc.schema
14:include /etc/openldap/schema/nis.schema
15:include /etc/openldap/schema/openldap.schema
16:include /etc/openldap/schema/ppolicy.schema
17:include /etc/openldap/schema/collective.schema
20:allow bind_v2
26:pidfile /var/run/openldap/slapd.pid
27:argsfile /var/run/openldap/slapd.args
66:TLSCACertificatePath /etc/openldap/certs
67:TLSCertificateFile "\"OpenLDAP Server\""
68:TLSCertificateKeyFile /etc/openldap/certs/password
98:database config
99:access to *
104:database monitor
105:access to *
114:database bdb
115:suffix "dc=qas-domain,dc=com"
116:checkpoint 1024 15
117:rootdn "cn=Manager,dc=qas-domain,dc=com"
122:rootpw {SSHA}R5Pyt+KNMgxf71fLF8/y89gJgs/Uxfqp
127:directory /var/lib/ldap
130:index objectClass eq,pres
131:index ou,cn,mail,surname,givenname eq,pres,sub
132:index uidNumber,gidNumber,loginShell eq,pres
133:index uid,memberUid eq,pres,sub
134:index nisMapName,nisMapEntry eq,pres,sub
4、检测并重新生成ldap数据库
[root@qas-openldap-nodes01 ~]# rm -rf /etc/openldap/slapd.d/*
[root@qas-openldap-nodes01 ~]# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/
5bcac4b6 bdb_db_open: database "dc=qas-domain,dc=com": db_open(/var/lib/ldap/id2entry.bdb) failed: No such file or directory (2).
5bcac4b6 backend_startup_one (type=bdb, suffix="dc=qas-domain,dc=com"): bi_db_open failed! (2)
slap_startup failed (test would succeed using the -u switch)
[root@qas-openldap-nodes01 ~]# slaptest -u
config file testing succeeded
[root@qas-openldap-nodes01 ~]# ll /etc/openldap/slapd.d/*
-rw-------. 1 root root 1259 10月 20 14:01 /etc/openldap/slapd.d/cn=config.ldif
/etc/openldap/slapd.d/cn=config:
总用量 80
drwxr-x---. 2 root root 4096 10月 20 14:01 cn=schema
-rw-------. 1 root root 59398 10月 20 14:01 cn=schema.ldif
-rw-------. 1 root root 663 10月 20 14:01 olcDatabase={0}config.ldif
-rw-------. 1 root root 596 10月 20 14:01 olcDatabase={-1}frontend.ldif
-rw-------. 1 root root 695 10月 20 14:01 olcDatabase={1}monitor.ldif
-rw-------. 1 root root 2724 10月 20 14:01 olcDatabase={2}bdb.ldif
5、修改相关ldap文件权限
chown -R ldap:ldap /var/lib/ldap/
chown -R ldap:ldap /etc/openldap/
6、启动slapd服务
chkconfig slapd on
/etc/init.d/slapd start
/etc/init.d/slapd status
lsof -i:389
二、migrationtools安装及配置
1、yum安装migrationtools
yum install -y migrationtools
2、配置migrationtools
vim /usr/share/migrationtools/migrate_common.ph
# Default DNS domain
$DEFAULT_MAIL_DOMAIN = "qas-domain.com";
# Default base
$DEFAULT_BASE = "dc=qas-domain,dc=com";
3、生成base.ldif文件
cd /etc/openldap/
/usr/share/migrationtools/migrate_base.pl >base.ldif
grep -n ^[a-Z] base.ldif
1:dn: dc=qas-domain,dc=com
2:dc: qas-domain
3:objectClass: top
4:objectClass: domain
6:dn: ou=Hosts,dc=qas-domain,dc=com
7:ou: Hosts
8:objectClass: top
9:objectClass: organizationalUnit
11:dn: ou=Rpc,dc=qas-domain,dc=com
12:ou: Rpc
13:objectClass: top
14:objectClass: organizationalUnit
16:dn: ou=Services,dc=qas-domain,dc=com
17:ou: Services
18:objectClass: top
19:objectClass: organizationalUnit
21:dn: nisMapName=netgroup.byuser,dc=qas-domain,dc=com
22:nismapname: netgroup.byuser
23:objectClass: top
24:objectClass: nisMap
26:dn: ou=Mounts,dc=qas-domain,dc=com
27:ou: Mounts
28:objectClass: top
29:objectClass: organizationalUnit
31:dn: ou=Networks,dc=qas-domain,dc=com
32:ou: Networks
33:objectClass: top
34:objectClass: organizationalUnit
36:dn: ou=People,dc=qas-domain,dc=com
37:ou: People
38:objectClass: top
39:objectClass: organizationalUnit
41:dn: ou=Group,dc=qas-domain,dc=com
42:ou: Group
43:objectClass: top
44:objectClass: organizationalUnit
46:dn: ou=Netgroup,dc=qas-domain,dc=com
47:ou: Netgroup
48:objectClass: top
49:objectClass: organizationalUnit
51:dn: ou=Protocols,dc=qas-domain,dc=com
52:ou: Protocols
53:objectClass: top
54:objectClass: organizationalUnit
56:dn: ou=Aliases,dc=qas-domain,dc=com
57:ou: Aliases
58:objectClass: top
59:objectClass: organizationalUnit
61:dn: nisMapName=netgroup.byhost,dc=qas-domain,dc=com
62:nismapname: netgroup.byhost
63:objectClass: top
64:objectClass: nisMap
4、将base.ldif导入ldap
ldapadd -x -D "cn=Manager,dc=qas-domain,dc=com" -W -f /etc/openldap/base.ldif
Enter LDAP Password: #输入密码qas@2018
adding new entry "dc=qas-domain,dc=com"
adding new entry "ou=Hosts,dc=qas-domain,dc=com"
adding new entry "ou=Rpc,dc=qas-domain,dc=com"
adding new entry "ou=Services,dc=qas-domain,dc=com"
adding new entry "nisMapName=netgroup.byuser,dc=qas-domain,dc=com"
adding new entry "ou=Mounts,dc=qas-domain,dc=com"
adding new entry "ou=Networks,dc=qas-domain,dc=com"
adding new entry "ou=People,dc=qas-domain,dc=com"
adding new entry "ou=Group,dc=qas-domain,dc=com"
adding new entry "ou=Netgroup,dc=qas-domain,dc=com"
adding new entry "ou=Protocols,dc=qas-domain,dc=com"
adding new entry "ou=Aliases,dc=qas-domain,dc=com"
adding new entry "nisMapName=netgroup.byhost,dc=qas-domain,dc=com"
5、检查ldapadd是否成功
ldapsearch -x -D "cn=Manager,dc=qas-domain,dc=com" -b "ou=Aliases,dc=qas-domain,dc=com" -W
Enter LDAP Password: #输入密码qas@2018
# extended LDIF
#
# LDAPv3
# base with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# Aliases, qas-domain.com
dn: ou=Aliases,dc=qas-domain,dc=com
ou: Aliases
objectClass: top
objectClass: organizationalUnit
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
三、phpldapadmin 安装及配置
1、yum安装httpd及PhpLdapAdmin
yum install -y httpd phpldapadmin
2、phpldapadmin 配置文件
vim /etc/httpd/conf.d/phpldapadmin.conf
Alias /phpldapadmin /usr/share/phpldapadmin/htdocs
Alias /ldapadmin /usr/share/phpldapadmin/htdocs
# Apache 2.4
Require local
# Apache 2.2
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
Allow from ::1
Allow from all
3、修改phpldapadmin配置用DN登录
vim /etc/phpldapadmin/config.php
$servers->setValue('login','attr','dn');
修改为:
$servers->setValue('login','attr','dn');
4、启动httpd服务
/etc/init.d/httpd start
chkconfig httpd on
5、打开Web UI并登录LDAP
http://172.16.8.251/phpldapadmin/
登录用户名为"cn=Manager,dc=qas-domain,dc=com qas@2018",密码为"qas@2018"
|
|
QQ群⑧:
窥视卡
雷达卡
发表于 2019-2-15 16:09:15
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡